--- title: Add a user to your InfluxDB cluster description: Add a user with administrative access to your InfluxDB cluster through your identity provider and your InfluxDB AppInstance resource. url: https://docs.influxdata.com/influxdb3/clustered/admin/users/add/ estimated_tokens: 7953 product: InfluxDB Clustered version: clustered --- # Add a user to your InfluxDB cluster Add a user with administrative access to your InfluxDB cluster through your [identity provider](/influxdb3/clustered/install/secure-cluster/auth/) and your InfluxDB `AppInstance` resource: 1. Use your identity provider to create an OAuth2 account for the user that needs administrative access to your InfluxDB cluster. **Refer to your identity provider’s documentation for information about adding users:** - [Keycloak: Creating users](https://www.keycloak.org/docs/latest/server_admin/#proc-creating-user_server_administration_guide) - [Microsoft Entra ID: How to create, invite, and delete users](https://learn.microsoft.com/en-us/azure/active-directory/fundamentals/add-users) - [Auth0: Team member management](https://auth0.com/docs/get-started/auth0-teams/team-member-management) 2. Add the user to your InfluxDB `AppInstance` resource. You can edit your `AppInstance` resource directly in your `myinfluxdb.yml`, or, if you’re using the [InfluxDB Clustered Helm chart](https://github.com/influxdata/helm-charts/tree/master/charts/influxdb3-clustered), you can add users to your `values.yaml` to modify your `AppInstance` resource. Required credentials depend on your identity provider. **AppInstance:** If editing your `AppInstance` resource directly, provide values for the following fields in your `myinfluxdb.yml` configuration file: - `spec.package.spec.admin` - `identityProvider`: Identity provider name. *If using Microsoft Entra ID (formerly Azure Active Directory), set the name to `azure`*. - `jwksEndpoint`: JWKS endpoint provide by your identity provider. - `users`: List of OAuth2 users to grant administrative access to your InfluxDB cluster. IDs are provided by your identity provider. Below are examples for **Keycloak**, **Auth0**, and **Microsoft Entra ID**, but other OAuth2 providers should work as well: **Keycloak:** ```yaml apiVersion: kubecfg.dev/v1alpha1 kind: AppInstance # ... spec: package: spec: admin: identityProvider: keycloak jwksEndpoint: |- https://KEYCLOAK_HOST/auth/realms/KEYCLOAK_REALM/protocol/openid-connect/certs users: # All fields are required but `firstName`, `lastName`, and `email` can be # arbitrary values. However, `id` must match the user ID provided by Keycloak. - id: KEYCLOAK_USER_ID firstName: Marty lastName: McFly email: mcfly@influxdata.com ``` Replace the following: - `KEYCLOAK_HOST`: Host and port of your Keycloak server - `KEYCLOAK_REALM`: Keycloak realm - `KEYCLOAK_USER_ID`: Keycloak user ID to grant InfluxDB administrative access to *(See [Find user IDs with Keycloak](/influxdb3/clustered/install/secure-cluster/auth/#find-user-ids-with-keycloak))* **Auth0:** ```yaml apiVersion: kubecfg.dev/v1alpha1 kind: AppInstance # ... spec: package: spec: admin: identityProvider: auth0 jwksEndpoint: |- https://AUTH0_HOST/.well-known/openid-configuration users: # All fields are required but `firstName`, `lastName`, and `email` can be # arbitrary values. However, `id` must match the user ID provided by Auth0. - id: AUTH0_USER_ID firstName: Marty lastName: McFly email: mcfly@influxdata.com ``` Replace the following: - `AUTH0_HOST`: Host and port of your Auth0 server - `AUTH0_USER_ID`: Auth0 user ID to grant InfluxDB administrative access to **Microsoft Entra ID:** ```yaml apiVersion: kubecfg.dev/v1alpha1 kind: AppInstance # ... spec: package: spec: admin: identityProvider: azure jwksEndpoint: |- https://login.microsoftonline.com/AZURE_TENANT_ID/discovery/v2.0/keys users: # All fields are required but `firstName`, `lastName`, and `email` can be # arbitrary values. However, `id` must match the user ID provided by Azure. - id: AZURE_USER_ID firstName: Marty lastName: McFly email: mcfly@influxdata.com ``` Replace the following: - `AZURE_TENANT_ID`: Microsoft Entra tenant ID - `AZURE_USER_ID`: Microsoft Entra user ID to grant InfluxDB administrative access to *(See [Find user IDs with Microsoft Entra ID](/influxdb3/clustered/install/secure-cluster/auth/?t=Microsoft+Entra+ID#find-user-ids-with-microsoft-entra-id))* **Helm:** If using the InfluxDB Clustered Helm chart, provide values for the following fields in your `values.yaml`: - `admin` - `identityProvider`: Identity provider name. *If using Microsoft Entra ID (formerly Azure Active Directory), set the name to `azure`*. - `jwksEndpoint`: JWKS endpoint provide by your identity provider. - `users`: List of OAuth2 users to grant administrative access to your InfluxDB cluster. IDs are provided by your identity provider. Below are examples for **Keycloak**, **Auth0**, and **Microsoft Entra ID**, but other OAuth2 providers should work as well: **Keycloak:** ```yaml admin: # The identity provider to be used (such as "keycloak", "auth0", or "azure") # Note, use "azure" for Azure Active Directory identityProvider: keycloak # The JWKS endpoint provided by the Identity Provider jwksEndpoint: |- https://KEYCLOAK_HOST/auth/realms/KEYCLOAK_REALM/protocol/openid-connect/certs # The list of users to grant access to Clustered via influxctl users: # All fields are required but `firstName`, `lastName`, and `email` can be # arbitrary values. However, `id` must match the user ID provided by Keycloak. - id: KEYCLOAK_USER_ID firstName: Marty lastName: McFly email: mcfly@influxdata.com ``` Replace the following: - `KEYCLOAK_HOST`: Host and port of your Keycloak server - `KEYCLOAK_REALM`: Keycloak realm - `KEYCLOAK_USER_ID`: Keycloak user ID to grant InfluxDB administrative access to **Auth0:** ```yaml admin: # The identity provider to be used e.g. "keycloak", "auth0", "azure", etc # Note, use "azure" for Azure Active Directory. identityProvider: auth0 # The JWKS endpoint provided by the Identity Provider jwksEndpoint: |- https://AUTH0_HOST/.well-known/openid-configuration # The list of users to grant access to Clustered via influxctl users: # All fields are required but `firstName`, `lastName`, and `email` can be # arbitrary values. However, `id` must match the user ID provided by Auth0. - id: AUTH0_USER_ID firstName: Marty lastName: McFly email: mcfly@influxdata.com ``` Replace the following: - `AUTH0_HOST`: Host and port of your Auth0 server - `AUTH0_USER_ID`: Auth0 user ID to grant InfluxDB administrative access to **Microsoft Entra ID:** ```yaml admin: # The identity provider to be used e.g. "keycloak", "auth0", "azure", etc # Note, use "azure" for Azure Active Directory. identityProvider: azure # The JWKS endpoint provided by the Identity Provider jwksEndpoint: |- https://login.microsoftonline.com/AZURE_TENANT_ID/discovery/v2.0/keys # The list of users to grant access to Clustered via influxctl users: # All fields are required but `firstName`, `lastName`, and `email` can be # arbitrary values. However, `id` must match the user ID provided by Azure. - id: AZURE_USER_ID firstName: Marty lastName: McFly email: mcfly@influxdata.com ``` Replace the following: - `AZURE_TENANT_ID`: Microsoft Entra tenant ID - `AZURE_USER_ID`: Microsoft Entra user ID to grant InfluxDB administrative access to *(See [Find user IDs with Microsoft Entra ID](/influxdb3/clustered/install/secure-cluster/auth/?t=Microsoft+Entra+ID#find-user-ids-with-microsoft-entra-id))* 3. Apply the change to your InfluxDB cluster. - If updating the `AppInstance` resource directly, use `kubectl` to apply the change. - If using the InfluxDB Clustered Helm chart, use `helm` to apply the change. **kubectl:** ```bash kubectl apply \ --filename myinfluxdb.yml \ --namespace influxdb ``` **Helm:** ```bash helm upgrade \ influxdb \ influxdata/influxdb3-clustered \ -f ./values.yaml \ --namespace influxdb ``` Once applied, the added user is granted administrative access to your InfluxDB cluster and can use `influxctl` to perform administrative actions. See [Set up Authorization–Configure influxctl](/influxdb3/clustered/install/secure-cluster/auth/#configure-influxctl) for information about configuring the new user’s `influxctl` client to communicate and authenticate with your InfluxDB cluster’s identity provider. #### Related - [Set up administrative authentication](/influxdb3/clustered/install/secure-cluster/auth/) - [Configure your InfluxDB cluster](/influxdb3/clustered/install/set-up-cluster/configure-cluster/)